[keycloak-dev] PicketLink and KC Integration
Stian Thorgersen
stian at redhat.com
Wed Jul 23 05:06:00 EDT 2014
As JavaEE security is lacking at best it would be nice to see integration with PL to use PL CDI and permissions.
I haven't looked at PL for a while, so I'm not 100% up to date with how it all works now. However, this doesn't seem like the correct approach to me. As Bill pointed out our as7/undertow adapters already do this stuff. IMO an application should be secured using the KC adapters, then use PL CDI/permissions when JavaEE security mechanisms are not enough.
----- Original Message -----
> From: "Pedro Igor Silva" <psilva at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 23 July, 2014 3:27:33 AM
> Subject: [keycloak-dev] PicketLink and KC Integration
>
> Hi All,
>
> Currently, I'm working in a new identity store to handle tokens issued by
> a specific IdP. KeyCloak is one of them.
>
> So far, I'm trying to provide an easy way to integrate KC with PL. But it
> will also be useful for SAML-based apps.
>
> My first use case is simple. A REST application provides endpoints
> protected by roles. The client application authenticates using an IdP
> (eg.: KC) and invoke the REST endpoints by sending the token on every
> single request. The application then validates, extract user information
> from the token and creates a security context for a specific request.
>
> This identity store will operate in two modes:
>
> 1) Stateless. Useful for applications acting only as a Service
> Provider. In this case, the app only wants to join a SSO session and
> use all information provided by a token to perform in-house
> authorization such as RBAC. Tokens are not persisted and are usually
> short-lived.
>
> 2) Stateful. Useful for applications that want to use a specific token
> to invoke 3rd party APIs. In this case, the app wants to login using
> a social provider (eg.: facebook, github or even KC) and store the
> token and user information locally for later use. Once stored, the
> app can retrieve the token and use it to invoke an external API.
>
> What I did so far is related with #1 and the functionality is covering:
>
> - Usage of keycloak.js to redirect users to login page and renew
> tokens.
> - Send KC token in every single request to a specific PL filter that
> knows how to process tokens.
> - Validate the token and create a security context for an user.
> Considering KC, the validation involves the expiration time,
> signature, audience, issuer, etc.
> - Extract from the token identity information such as username, roles,
> realm, etc.
> - Support authorization checks based on the information extracted from
> a token.
>
> I still have some gaps to fill, but I would like to know what are your
> thoughts about how PL and KC can work together. AFAIK, KeyCloak is more
> about authentication. If the application wants authorization based on the
> information from a token (eg.: roles) it must do it by itself. Or you
> guys already have code for that ?
>
> Thanks.
> Pedro Igor
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list